The U.S. CLOUD Act and the EU: A Privacy Protection Race to the Bottom

The U.S. CLOUD Act and the EU: A Privacy Protection Race to the Bottom

U.S. President Donald Trump’s $1.3 trillion government spending bill, signed March 23rd, offered 2,323 pages of budgeting on issues ranging from domestic drug policy to defense. The last-minute rush to fund the U.S. government through this all-or-nothing “omnibus” presented legislators with a golden opportunity to insert policies that would escape deep public scrutiny. Case in point: the Clarifying Lawful Use of Overseas Data (CLOUD) Act, whose broad ramifications for undermining global privacy should not be underestimated, was snuck into the final pages of the bill before the vote.

Between the U.S. CLOUD Act and new European Union (EU) efforts to dismantle international rules for cross-border law enforcement investigations, the United States and EU are racing against one another towards an unfortunate finish-line: weaker privacy protections around the globe.

The U.S. CLOUD Act allows the U.S. President to enter into “executive agreements” with qualifying foreign governments in order to directly access data held by U.S. technology companies at a lower standard than required by the Constitution of the United States. To qualify, foreign governments would need to be certified by the U.S. Attorney General, and meet certain human rights standards set in the act. Those qualifying governments will have the ability to bypass the legal safeguards of the Mutual Legal Assistance Treaty (MLAT) regime.

In addition, U.S. law enforcement agencies (from local police to federal agents) can now compel U.S. and foreign technology[1] companies to disclose communications data of U.S. and foreign users that is stored overseas, regardless of the data’s physical location, potentially bypassing the countries’ privacy and data protection laws. Permitting the U.S. access to data which can be located anywhere sets a dangerous precedent for other countries, who are likely to demand similar access to data held in the United States. Such expansion of U.S. law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.

Leaked documents obtained by the media network EURACTIV revealed the European Commission’s plans to launch on April 17th two proposals: A regulation on access to and preservation of electronic data held by companies that mirrors the CLOUD act’s self-serving agenda; and a Directive "to appoint a legal representative within the [EU] bloc".

According to EURACTIV, the regulation would grant EU member states the power to circumvent the responding countries’ privacy laws in fulfilling information requests. If passed, countries could demand data access of technology companies within 10 days or, in the case of an “imminent threat to life or physical integrity of a person or to a critical infrastructure,” technology companies could be compelled to comply within just six hours. Such demands would apply to internet companies such as Google, social networks like Facebook, Instagram, and Twitter, as well as cloud technology providers, domain name registries, registrars and “digital marketplaces” that allow consumers and/or traders to conclude peer-to-peer transactions.

The directive, as reported by EURACTIV, will force any company collecting data in the EU to appoint a legal representative to the EU bloc to address law enforcement data-requests. This demand would be particularly onerous for companies who do not even have an office in the EU, let alone store their data in the EU. Requiring all companies to maintain an EU legal representative will stifle innovation by further stacking the deck in favor of tech giants who have the resources to comply.

Prior to the announcement of the U.S. CLOUD act, the European Commission had already begun a process to improve access to electronic evidence within EU member states. On June 2017, the European Commission presented to EU Justice Ministers a set of options to improve cross-border access to e-evidence. Ministers then asked the Commission to come forward with concrete legislative proposals. A public consultation that was held from August to October 2017 gave some hints of the EU’s intention to adopt legislation that would enable far-reaching information demands on companies located not only within, but outside the European Union, as well.

In a statement on how the European Union can “improve” cross border access to data, Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality said:

"Our current investigation tools are not fit for the way the digital world works … These tools still work within the limits of the principle of territoriality, which is at odds with the cross-border nature of e-services and data flows. As a result investigators' work is slowed down when dealing with cybercrime, terrorism and other forms of criminal activities, even where such crimes are not cross-border in nature. This is why we launched an expert consultation in 2016."

However, the EU proposals—coupled with the U.S. CLOUD Act—signal a potentially dangerous and uncoordinated race to the bottom. The principle of territoriality has provided an important mechanism for maintaining privacy standards in a world where data is increasingly available from multiple sources operating in multiple locations around the globe. Although territorial protections for privacy were being litigated before the U.S. Supreme Court in the case United States v. Microsoft, before the CLOUD Act, U.S. officials could not ignore local privacy safeguards when seeking access to data hosted in a foreign state. (Just last week, the U.S. Department of Justice submitted a motion to the court to declare the case “moot,” according to a recent report by The Irish Times.)

Similarly, EU law must currently respect U.S. privacy safeguards when seeking to access content stored by companies in the United States. Both initiatives are willing to jettison the principle of territoriality and the foreign privacy safeguards that accompany it: the U.S. CLOUD Act allows U.S. law enforcement to ignore EU privacy protections, while the EU proposals, if passed, ignore U.S. privacy protections regarding access to content stored in the United States. However, neither would be pleased with the reciprocal impact of a world without territorial privacy.

Indeed, Commissioner Jourova has already decried deficiencies in the United States’ approach, stating on Twitter that she wants to see “the EU and the U.S. have compatible rules for obtaining evidence stored on servers located in another country, in order to solve serious crimes. Unfortunately, the U.S. Congress has adopted the CLOUD Act in a fast-track procedure.”

It remains to be seen whether EU and U.S. based lawmakers or courts will accept the European Commission’s attempts to bypass EU and U.S. privacy safeguards. Our friends from European Digital Rights (EDRi) have warned against such proposals in the EU.

EDRI’s Senior Policy Advisor, Maryant Fernández, told EFF:

"If the Commission does not change its mind prior to publication of its proposals on April 17, it would be proposing dangerous short cuts to access people's data directly from companies, turning companies into judicial authorities."

The irony is that such unilateral moves to ignore foreign privacy standards are hardly necessary. While practical challenges currently exist in cross-border access to data, these challenges relate primarily to a lack of efficiency and clarity in the prevailing MLAT regime. This deficiency can be easily addressed through:

The express codification of a dual privacy regime that meets the standards of both the requesting and the host state. Dual data privacy protection will help ensure that as nations seek to harmonize their respective privacy standards, they do so on the basis of the highest privacy standards. Absent a dual privacy protection rule, nations may be tempted to harmonize at the lowest common denominator, and

Improved training for law enforcement to draft requests that meet such standards, and other practical measures.

Now is the time for improving MLATs. The EU must ensure a level of predictability, accountability and procedural safeguards that is at least equal to the level that currently exists. Moreover, the EU does not have to follow the U.S. down the same path of privacy abandonment. Instead, EU institutions and Member States have the opportunity to champion logical solutions that help law enforcement access digital evidence while still protecting privacy and maintaining respect for the sovereignty of other nations. Until we know more, we must wait. But know that, as soon as these proposals produce their first public agreements, EFF will learn, evaluate, and potentially fight for better privacy rights in Europe, and around the world.

[1] U.S. extraterritorial warrants could apply to foreign companies--the U.S. just has to find a sufficient jurisdictional nexus to send an order. So Telegram, even though German, serves customers in the U.S. and can be subject to an order.

Related Updates

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching...

To the extent that 260-page regulations can ever be said to be “famous,” Europe’s General Data Protection Regulation (GDPR) certainly had its moment in limelight in 2018. When it came into force on May 25, it was heralded by a flurry of emails from tech companies, desperate to re-establish their...

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to...

On September 13, after a five-year legal battle, the European Court of Human Rights said that the UK government’s surveillance regime—which includes the country’s mass surveillance programs, methods, laws, and judges—violated the human rights to privacy and to freedom of expression. The court’s opinion is the culmination of lawsuits...

Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated...

InternetLab, the Brazilian independent research center, has published their third edition of “Quem Defende Seus Dados?" (Who defends your data?"), an annual report which evaluates the practices of their local Internet Service Providers (ISPs), and how they treat their customers’ personal data when the government demands it...

Because the global Internet carries data acrossinternationalborders, police often seek digital evidence stored in another country. To obtain such cross-border data, police generally must gain approval from the government whose territory hosts the data, under an international web of Mutual Legal Assistance Treaties (MLATs).
...

One country’s government shouldn’t determine what Internet users across the globe can see online. But a French regulator is saying that, under Europe’s “Right to be Forgotten,” Google should have to delist search results globally, keeping them from users across the world. That’s a step too far, and would conflict...